Safety boundaries
- Website text is explicitly treated as untrusted data, never as an instruction.
- Common secrets and credentials are removed before model submission.
- No shell, repository, browser, database, or deployment tool is available to the model.
- Structured output limits every field, list, and response shape.
- A human reviews and applies every suggested change.